In its 2020 session, the Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. The Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), has published a document outlining the important amendments, which is available here.
The revised FADP (revFADP) covers data protection of natural persons only and includes new definitions for genetic and biometric data, much like the GDPR. The revFADP also incorporates the principles of privacy by design (data protection through technology design) and by default. The FDPIC emphasises that such mechanisms should be “through the use of customer-friendly” programmes that aid data protection.
Art. 10 of the revFADP requires the appointment of data protection officers (DPO), where required, either from within a business or from an outsourced provider and free of conflicts of interest. Unlike the GDPR, it is optional to appoint a DPO for a private business but is a legal requirement for federal bodies. If the DPO is considered professionally independent, autonomous and the task is compatible with their role, following a data protection impact assessment (DPIA), a business can solely rely on in-house advice without the need to consult the FDPIC, even in persistently high risks. Private sector controllers are required to conduct a DPIA only if the planned processing involves high risk to the privacy or rights of data subjects, for example in processing sensitive data. If a DPIA assesses the risk as high, then the controller must obtain an opinion from the FDPIC who may include additions or propose modification measures but only where either it does not have a, or has not consulted with its, DPO.
Also similar to the GDPR, data controllers and processors are now required to keep a record of all data processing activities (Art. 12). Cross-border transfers of data to third countries remain restricted to the Federal Council’s adequate protection list, unless adequate data protection can be assured.
The revFADP aligns with the GDPR transparency requirements in relation to the information controllers provide to individuals before their data is processed, but includes an additional requirement for data transfers to third countries—namely, that information on laws and any guarantees of appropriate levels of data protection should be provided. In addition, personal data that is only collected incidentally, “along the way” or by law is exempt from the transparency requirements. Data subject rights enshrined under the GDPR are replicated in the revFADP. The right to data portability does not apply where disclosure or transmission of the data to another controller would result in disproportionate cost or effort.
Just as in the GDPR, there is an obligation to report security data breaches to the FDPIC if there is a high risk of adverse effects on the privacy or fundamental rights of data subjects, which is a higher reporting threshold than that required under the GDPR. Controllers can voluntarily report breaches to the FDPIC where the risk is not high. While the FDPIC is under an obligation to investigate all violations of the revFADP, minor breaches will not be openly investigated.
Under Art. 51 para 1 of the revFADP, the FDPIC can conduct proceedings against processors and controllers, order changes to data processing and even order the deletion of personal data. The FDPIC also has new powers to require organisations to notify data subjects about a data security breach, where previously the FDPIC could only have referred the matter to the Swiss courts. Controllers and processors have rights of appeal to the Federal Administrative Court but the FDPIC may contest this. Much like the GDPR, Art. 11 of the FADP incentivises organisations to develop their own codes of conduct and to submit them to the FDPIC for an opinion.
The new FADP sets out fines for private persons of up to CHF 250,000 for those who intentionally breach it; there are no sanctions for negligence. The FDPIC can report an offence and enforce rights of a private claimant in proceedings, but cannot file a complaint. Even in the words of the FDPIC, the revFADP comes across as GDPR-light.